Tesla’s Model S can be located, unlocked, and burglarized with a simple hack

This site may earn affiliate commissions from the links on this page. Terms of use.

While Tesla’s Model S might be physically the safest car on the road, once it’s parked up by the curb, it’s not very secure at all. That’s according to a security researcher, who says the Model S is very vulnerable to some rudimentary hacking techniques, allowing a would-be thief to remotely locate your car, unlock its doors, and then steal all your stuff. Fortunately, the researcher hasn’t yet found a way of starting a Model S without the key fob, but given how security always eventually falls to hackers, it’s just a matter of time.

At the Black Hat Asia conference in Singapore last week, security researcher and Tesla owner Nitesh Dhanjani presented his findings on the Model S’s various computer and communications systems. Basically, Dhanjani found that a single password is all that prevents a thief/hacker from locating and unlocking your Model S. With that password, a thief could use the Model S’s iOS app to locate and unlock the car.

The use of just a password is known as single-factor authentication, and it’s an absolute no-no in the security industry if you’re protecting absolutely anything of value. To add insult to injury, Tesla only enforces a minimum password length of six characters with at least one number — a perilously weak password scheme, especially when combined with the fact that the Tesla website doesn’t appear to limit incorrect login attempts. Single-factor authentication is also very weak to phishing, malware, people using the same password on multiple services, email account compromises (“yes, I forgot my Tesla password, please email me the reset link…”).

Basically, if you own a Model S, you should make sure your Tesla account password is suitably strong. You should also ensure that your email account is secure (if you’re using Gmail or Outlook/Hotmail, enable two-factor authentication), and be savvy towards any malware/phishing attempts. [It seems that Tesla has recently bumped up the minimum password length to eight characters, incidentally.]

Other Model S vulnerabilities

Dhanjani also found a vulnerability in the way that third-party apps interface with the Model S, potentially allowing these apps to locate and unlock your car. For now, he says the best solution is to not use any third-party apps until Tesla releases an official app SDK and cleans up some of its back-end processes.

Beyond those rather easy hacks, Dhajani also took a look a brief look at the security of the Model S’s on-board computer and networking subsystems. He used a WiFi sniffer to see which IP addresses the Model S connects to (for the remote unlock and other telemetry features). He also used the car’s built-in diagnostic connector, which can be connected to a laptop with an M12 to RJ45 connector, to probe the car’s various computers. He found a bunch of servers (the center console, the dashboard screen, and at least one other unidentified device) all with open ports. The center console, for example, has an HTTP server on port 80 — if you visit http://192.168.90.100/nowplaying.png from your laptop, you get the album art for what’s currently playing. There are a couple of open SSH servers (but Dhajani didn’t work out the name/pass to gain access), and an NFS share that appears to contain navigation data among other things.

At this point, I should note Dhajani didn’t get anywhere close to the car’s actual ECU (engine control unit) or other vital systems. We’re probably not about to see a spate of hacked Model S sedans losing their brakes or otherwise behaving oddly.

It’s also worth pointing out that, as far as security is concerned, it’s very, very difficult to secure a system when the hacker has gained physical access. The obvious attack vector here is a malicious car valet, which could use the car’s dashboard connector to discover sensitive data, or to install a backdoor that allows the valet’s partners in crime to easily steal/burglarize the car at a later date.

All in all, Dhanjani’s efforts are fairly rudimentary at the moment — it’s the kind of thing that most technically proficient people could pull off with a few simple tools — but that’s what makes it so scary, too. The good news is, Tesla could easily mitigate all of the security vulnerabilities highlighted here, by requiring two-factor authentication to unlock or locate the car, and provide a physical lock for the dashboard connector that owners can use when using a car valet service.

The main takeaway here is that, yes, as computers slowly eke their way into everything — cars, fridges, washing machines, etc. — the security threats will shift from physical (hot wiring) to technological (hacking). We shouldn’t be surprised if the first few generations of computer- and network-enabled devices are woefully insecure. The good news is that, after the first high-profile case of an exploding fridge or fatal car hacking, it should improve pretty quickly.

Tagged In

This site may earn affiliate commissions from the links on this page. Terms of use.

ExtremeTech Newsletter

Subscribe Today to get the latest ExtremeTech news delivered right to your inbox.

Email

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our
Terms of Use and
Privacy Policy. You may unsubscribe from the newsletter at any time.